LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-20-2003, 07:17 AM   #1
alfaalfabeta
LQ Newbie
 
Registered: Jul 2003
Posts: 4

Rep: Reputation: 0
tripwire reports /usr/sbin/tripwire changed


Tripwire reports that several tripwire-files changed
/usr/sbin/tripwire */siggen */twprint and so on.
No other important system-files seems to be different.

I dont think tripwire has been updatet recently, but how can I check this in RedHat 8.0?

Can I conclude that my box most likely have been hacked?
 
Old 07-20-2003, 07:46 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Hello alfaalfabeta,

welcome to LQ. Good you're using tripwire. I hope you're saving a copy of the databases on read-only media?

Tripwire reports that several tripwire-files changed
What kind of changes are we talking about? Inode only, inode plus checksum etc, etc? Post an example please.

I dont think tripwire has been updatet recently
Did you check the installdate for the tripwire rpm?
Provided your rpm database is "sane" and the tripwire package is an rpm, you could run this script as "rpm-contentsof-file+md5 tripwire" and it'll spit out some info.
Code:
#!/bin/bash
# Purpose: Query an rpm and display info, files with md5sum
# Args: <package>
# Deps: Bash, GNU utils, rpm
# Run from: manual
progn=$(basename $0)
case "$#" in 0) echo "$progn: <rpm package>"; exit 1;; esac
rpm -q "$1" | while read package; do
        rpm -q "$1" --queryformat 'Package: %{NAME}-%{VERSION}-%{RELEASE}\nInstalldate: %{INSTALLTIME:date}\nDescription:\n%{DESCRIPTION}\n'
        rpm -q -i --dump ${package} | while read item; do item=( ${item} )
        if [ -f "${item[0]}" -a "${#item[3]}" -gt "20" ]; then
                printf "%s${package} ${item[0]} ${item[3]}\n"
        fi
        done
done
Can I conclude that my box most likely have been hacked?
No, you can't. There's too little "evidence" for that. It would be a good time (and stimulus, hopefully) to start checking your security measures though. For a broad overview, please refer to the first sticky thread in this forum, especially post #1 checklists and distro-specific stuff.
 
Old 07-21-2003, 03:37 AM   #3
alfaalfabeta
LQ Newbie
 
Registered: Jul 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Thank you for a very quick reply.

I hope you're saving a copy of the databases on read-only media?
No. And I am really sorry about that now.

Tripwire reports that several tripwire-files changed
What kind of changes are we talking about?

CRC32 and MD5

I dont think tripwire has been updatet recently
rpm -qi says install-date 06.05.2003. Does this mean that it isnt updated after that?

The second last report is from 05.07.2003 and reports no errors.
 
Old 07-22-2003, 12:39 PM   #4
alfaalfabeta
LQ Newbie
 
Registered: Jul 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Could I conclude that the box is not hacked because

-No other important system-files seems changed. Wouldnt a hacker have changed other files too?
-Its just md5 and crc32 that failes and nothing else.
 
Old 07-22-2003, 04:03 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
The long answer would cover the range of checks you do with stuff you don't trust, like making sure the tools you use to check aren't the ones local to the system, the analysis of what file "attributes" changed and the probability of a file being changed as aiding in/an indication of a breach of compromise etc etc.

In short: yes, that would be the conclusion.
 
Old 07-22-2003, 05:52 PM   #6
alfaalfabeta
LQ Newbie
 
Registered: Jul 2003
Posts: 4

Original Poster
Rep: Reputation: 0
I started with nmapping the box from inside and outside, and no ports were open.

So I went to rhn.redhat.com pages and got md5sum for important files. They showed nothing wrong.

Was tripwire itself the problem? Yes, indirect. I made a new report and it showed no errors. (the box had been off the net the whole time).

The logs before the possible hack showed memory/swap-errors.

So i guess issue solved; My mem is unstable.

Thanks for all help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tripwire-2.3.1-2 jacky Red Hat 1 08-11-2004 04:47 PM
tripwire help spideywebsling Linux - Security 1 07-09-2004 04:57 PM
/usr/sbin and /sbin world read/executable... why? lazlow69 Slackware 3 04-29-2004 05:06 PM
As root, not seeing /sbin and /usr/sbin in path weghman Linux - Newbie 3 04-25-2004 01:06 PM
Tripwire Reports Changes I Don't Understand WurlyBurly Linux - Security 1 07-03-2001 04:38 PM


All times are GMT -5. The time now is 02:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration